Why am I unable to connect to a webservice with CICS Transaction Server for z/OS (CICS TS) as a service requester? The webservice uses x509 certificate, ws-addressing, ws-security, ws-policy. An internal trace shows the fault returned: "wsse:InvalidSecurityToken".

There are also other errors returned by the webservice, including "namespace prefix undeclared", INVREQ, NOTFND, "SOAPFault faultcode: Unknown faultstring: Unknown".

Suspecting the certificate, we added the personal certificate and received the message:

IRRD125I The key size that was specified or defaulted is not acceptable. The request is not processed.

1 reply

If certificates are being used with WS-Security (for example signing or encryption) then the certificate MUST have a public key and the key must be managed by Integrated Cryptographic Service Facility (ICSF) or PCI cryptographic coprocessor (PCICC). The key type must of of type 2 or 3.

But in addition to that restriction, there are limitations on the key sizes that are used with your certificates. This is more likely with new encryption algorithms that require larger key sizes.

The ICSF keyword can be used on a PCI-class cryptographic coprocessor or older cryptographic coprocessor. However, the key size is limited to 1024 bits. This appears to be the situation at hand.

That size restriction does not apply to PCICC, and a PCICC type with 2048 key size was implemented successfully.

An additional notation: Generation of a certificate with a clear RSA key with a key size greater than 1024 requires that the CP Assist for Cryptographic Functions (CPACF) (feature code 3863) is enabled and the TDES function is available.